A Context-Aware Kernel IPC Firewall for Android

Presented at ShmooCon XIII (2017), Jan. 14, 2017, noon (60 minutes)

Our phones go wherever we go. Ever present, and with ever more data and connections, smartphones hold as much sensitive data as traditional systems but do not have the same protections. Android's recent 6.0 (Marshmallow) release introduced much needed dynamic permission checks for applications. However, this does not go far enough in adapting to mobile phone's unique security needs. Smartphones encounter a wide variety of settings and situations that current security solutions fail to account for. We introduce a context-aware IPC firewall for Android that dynamically filters messages based on environmental data. Our BinderFilter can both block and modify Android IPC messages sent through Binder, which is in a position of complete mediation in Android. Our Binder hooking framework and message parser are unique in their scope and implementation-and mitigate broad classes of cross-app attacks, such as "collusion´┐Ż? and "UI-based activity hijacking´┐Ż? attacks. We also provide a policy application, Picky, with which users can set policy rules for any message and target applications.


  • Sergey Bratus
    Sergey Bratus (@sergeybratus) is a research associate professor at Dartmouth College. He and his students demonstrated many powerful execution mechanisms where least expected: in DWARF debugging, in ELF metadata, in the x86 MMU, and collaborated with industry researchers to build security tools for protocols such as USB, 802.15.4/ZigBee, and 802.11 fingerprinting.
  • David Wu
    David Wu (@Davidwuuuuuuuu) is a recent graduate of Dartmouth College. There he worked with Sergey Bratus on projects involving VPN fingerprinting and Linux instrumentation. He has developed particle physics simulations for Brookhaven National Laboratory and website analysis tools for Ionic Security. He is currently working as a Software Engineer in Boston.